The Python folks have discovered a flaw in SimpleXMLRPCServer that can affect any XML-RPC servers. This affects any programs have been written that allow remote untrusted users to do unrestricted traversal and can allow them to access or change function internals using the im_* and func_* attributes. Info: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0089 https://bugzilla.redhat.com/beta/show_bug.cgi?id=146645 ------- Bug moved to this database by dkl 2005-03-30 18:31 ------- This bug previously known as bug 2421 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2421 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
Corresponding fixed Python packages were annouced in http://rhn.redhat.com/errata/RHSA-2005-109.html which has classification "Important".
There is a package for RH7.3 at ftp://ftp.harddata.com/pub/Legacy_packages/python2-2.2.2-11.7.3.1.legacy.src.rpm These sources include a fix for CAN-2005-0089, and also for other SSL security issues (lifted from updates to RHEL) and a fix for pcre issues (CAN-2005-2491, #169235). Neither python-1.5.2-... packages, nor python-xmlrpc-1.5.1-7.x.3, for RH7.3 seem to be affected by CAN-2005-0089. It does not look that the code in question, or something similar, is there. For other distributions it seems that a fix for CAN-2005-0089 will be either the same or very similar as applied here. In any case a code from corresponding RHEL update sources will apply.
(Michal and Jim - hope you don't mind my adding you to the cc: for this bug.) Since Michal has proposed the python2-2.2.2-11.7.3.1.legacy.src.rpm packages as a fix not only for the this bug report's issue, but also for the CAN-2005-2491 pcre issue (handled in Bug #169235), I suggest we re-title 169235 to be "CAN-2005-0089 CAN-2005-2491 python multiple security issues" and continue all work on CAN-2005-0089 there. We can make this bug report's success depend on that one. That way we can track all of python's pending security issues in one bug report rather than two. Would you mind changing the title of 169235, Jim?
David, Thank you for adding me to this bug. For the record I would rather be added than deleted. ;-) I have renamed 169235 as you proposed.
I'm closing this bug if we continue tracking on #169235. *** This bug has been marked as a duplicate of 169235 ***